Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Virtual Forge Code Profiler
 

Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Virtual Forge Code Profiler

on

  • 1,697 views

Check out this much-noticed presentation held at the 2013 ASUG Annual Conference. Attendees were pleased and excited by the content that was presented.

Check out this much-noticed presentation held at the 2013 ASUG Annual Conference. Attendees were pleased and excited by the content that was presented.

Statistics

Views

Total Views
1,697
Views on SlideShare
1,649
Embed Views
48

Actions

Likes
1
Downloads
15
Comments
0

3 Embeds 48

https://twitter.com 27
http://www.surutshah.com 20
http://4254580292242427252_6cc2eeff2fc21b4a7d5bb8f93c96cc1fe04c9203.blogspot.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Virtual Forge Code Profiler Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Virtual Forge Code Profiler Presentation Transcript

    • GM: Automating Code Reviews for Custom ABAPApplications to Reduce Risk and Lower TCOMarkus Seibel, GMDr. Markus Schumacher, Virtual Forge
    • Who we areMarkus SeibelSAP Security Lead, Adam Opel AG / GMRüsselsheim, GermanyDr. Markus SchumacherCEO of Virtual ForgeHeidelberg | Weimar | PhiladelphiaTwitter: @virtual_forge | Questions: #safercode
    • • SAP CCOE @ GM EMEA• CPR - Automated Change Management at GM• Potential Risks from Bad ABAP Code• ABAP Firewall: Automatic Code Scanning• SummaryAgenda
    • SAP CCOE @ GM EMEA• Strengthen SAP CCoE within Business Functions to drive efficiency andoptimization• Run in-flight programs• Contribute to GM Global SAP Initiatives
    • LOCATIONS and SCOPE MANAGED
    • EMEA SAP CCOE plays GlobalEngagement within the GM Global SAP Program Portfolio Template Plan / Build / Run convergenceBill ofITBill ofProcessSharedGovernanceBill ofITBill ofProcessSharedGovernance
    • • SAP CCOE @ GM EMEA• CPR - Automated Change Management at GM• Potential Risks from Bad ABAP Code• ABAP Firewall: Automatic Code Scanning• SummaryAgenda
    • Conflicting Project Goals Goals of project / implementation teams: Project budget and go-live date Delivered product must work at point of hand-over Satisfy the “direct customers“ (e.g. new site) Minimize coordination effort where ever possible(with the customer as well as team-/supplier internally) Minimize regression tests Scope reductions (classic “not part of our job / contract” discussions) Low cost / offshore Goals of customer / system owner / CCoE: Long term maintainability Harmonized processes and “templates” Avoiding redundancies Low operating costs Secure environment Quality, Sustainability & no surprises in coding
    • Conflicting Project Goals Goals of project / implementation teams: Project budget and go-live date Delivered product must work at point of hand-over Satisfy the “direct customers“ (e.g. new site) Minimize coordination effort where ever possible(with the customer as well as team-/supplier internally) Minimize regression tests Scope reductions (classic “not part of our job / contract” discussions) Low cost / offshore Goals of customer / system owner / CCoE: Long term maintainability Harmonized processes and “templates” Avoiding redundancies Low operating costs Secure environment Quality, Sustainability & no surprises in codingApproaches• Clone existing ABAP code instead of extending or reusingexisting functionality• Ignore template, rather clone legacy system where everpossible• Quick & dirty, hard-coded• Cheap resources instead of experienced staff• Delay progress in order to force customer to acceptunsatisfactory solutions to keep time line• …Have you ever wondered, where all the vulnerabilities arecoming from?An SAP CCoE has to combine two contradictinggoals to make a project really successful:• Support and manage the project• “Defend” the system against the project team (!)
    • Automated Change ManagementCPR – GM’s Global SAP Change Management• Custom GM solution for managing SAP Changes• Similar functionality to ChaRM• Manages entire change process from ticket creation to Prod• Tight integration with SAP• Tracks changes, approvals, create/release transports, etc.• Ensures compliance (SOX, ITIL, internal, etc.)• ‘ABAP Firewall’ - static code analysis of ABAP application codeand changes
    • ABAP Firewall• Tightly integrated with CPR and SAP• Tests all domains: Security, Compliance, Performance, and Quality• Very low False Positive rate (<5%)• Online scanning for development• Fast scan rate for high volume scanning (>10k loc/sec)• Complete reporting and audit detail• Integrated ABAP WB, Eclipse, SAP TMS, Solution Manager, etc.Virtual Forge CodeProfiler
    • • SAP CCOE @ GM EMEA• CPR - Automated Change Management at GM• Potential Risks from Bad ABAP Code• ABAP Firewall: Automatic Code Scanning• SummaryAgenda
    • Increased Complexity and Risk The Attack Surface of ABAP1 9 9 7
    •  The Attack Surface of ABAP2 0 0 2Increased Complexity and Risk
    •  The Attack Surface of ABAPSince 2 0 0 7Increased Complexity and Risk
    • More sophisticated Attackers– Script Kiddies Minor knowledge Works with „copy & paste“ and uses public information, programs,tools, etc. in order to attack / damage computer systems Random targets Motivation: usually  reputation
    • More sophisticated Attackers- Professional Attackers Highly skilled Almost unlimited time and money resources Targeted attacks (e.g. Stuxnet) Often internal attackers Motivation: Industrial espionage, sabotage, …
    • ABAPTM Quality BenchmarkAverage number of findings per scanSecurity 7,438 1,571Compliance 2,404 221Performance 18,277 1,384Maintainability 12,954 -Robustness 9,286 710Total Findings Critical Findings– 62.5 % probability of an ABAP Command Injection vulnerability– 100 % probability of defective authorization checks– 95.83% probability of a Directory Traversal vulnerabilityAnonymized data from 60 ABAP code analysis projects / Ø 1.65 Mio. Lines of Code per scan (status: May 2012)~ 1 criticalsecurity defectevery 1,000 linesof ABAP codeTOTAL 50,359 3,886
    • Regulatory Compliance PCI-DSS (Payment Card Industry Data Security Standard)CodeProfiler provides more than 30 test cases in order to test for PCI DSS compliance (PCI DSSRequirements and Security Assessment Procedures, Version 2.0) PII (Personally Identifiable Information)To protect the PII, CodeProfiler has test cases related to the disclosure of critical data ("assets").Exit points for this domain exist in the following classifications: SAP GUI, HTTP/HTML, FTP, GUI Download,Files, Return values of RFC enabled function modules. Main purpose of this test domain is to identify dataleaks. SOXCodeProfiler provides more than 30 test cases in order to test for SOX /SOX-EUR compliance (Sarbanes-Oxley Act). SOX audits rely on IT General Controls (ITGC) to provide a sound technical basis for thereliability and accountability of business processes. Custom development is relevant for ChangeManagement, which is in turn relevant for ITGC. Therefore, any changes to program logic are SOX relevant,if they introduce a potential security issue. ABAP coding practices and standards must ensure that ITGC arenot bypassed by insecure coding. SOX audits must check that appropriate controls are in place that makesure no relevant security defects exist in ABAP code.
    • • SAP CCOE @ GM EMEA• CPR - Automated Change Management at GM• Potential Risks from Bad ABAP Code• ABAP Firewall: Automatic Code Scanning• SummaryAgenda
    • Code Governance & ControlBuilt into the Process1. Release transportCodeProfilerSAP2. Automatic analysisof all transports byCodeProfiler (TMS /ChaRM) GatekeeperQualityOK?SAPTest / QASAPDevelopmentNO: Reject approvalYES: Allow transportYES: Allow transport3. [Optional] Ask QA for exception (peer review)QualityOK?NO: Reject transport
    • Data and Control Flow Analysis (Patented)Show only findings that matterInput (SAP GUI, BSP, RFC, ...)Dangerous StatementSoftware
    • CodeProfiler: Comprehensive Test ScopesSecurity TestsQA TestsSecurityABAP™ Command InjectionOS Command ExecutionSQL InjectionBroken Authority ChecksHard-Coded Usernames...PerformanceUsage of WAIT CommandUsage of SELECT*Nested LoopIncomplete Index...Data Loss PreventionDisclosure of Critical DataDisclosure of Source CodeMaintenance of sensitive data…Maintainability & RobustnessNaming ConventionsNested Macro CallsHard-coded Org UnitsInsufficient Error Handling...CodeProfilerPATENTEDall rightsreservedSecurity Performance Quality
    • Custom Development: Cost of Defects Custom ABAP Development FactsCost of DefectsCost of attack or system down$$$$$to correct defect in production$10,000to correct defect found in QA testing$1,000to correct defect during development$100
    • ABAP Code Scanning - BenefitsLower Risk– Detects and support mediation of vulnerabilities• Cyberattacks• System Failures• Data theft/Fraud• Industrial Espionage– Tests in-/out-sourced development and 3rd party add-ons.• Enforces standards for all development deliverables• Clear and enforceable definition of programming standards– Ensures all ABAP code changes meet Compliance andAudit requirements
    • Lower TCO• Problems are found earlier in SDLC= Lower cost to mediate defect• better quality code (maintainability, performance, robustness)= Lower test and maintenance costs• Reduced review & testing times= Faster delivery of new applications• Automated scanning= Less use of (expensive) development resources• Online scan & mediation support for faster resolution= Less time for corrections and repair• Better quality code= Less SAP production system issuesABAP Code Scanning - Benefits
    • • SAP CCOE @ GM EMEA• CPR - Automated Change Management at GM• Potential Risks from Bad ABAP Code• ABAP Firewall: Automatic Code Scanning• SummaryAgenda
    • Internal Control Systems -Structure in the ERP EnvironmentABAP Security in ContextIT General Controls (ITGC)Change ManagementABAP Application CodeBusiness Rules EnforcementAuthentication, Encryption, Authorization,Logging, Interfaces, Audit…
    • Custom Development: Source of Defects Custom ABAP Development FactsSource of DefectsLittle/no technical specificationsManual/Basic code reviewsTesting focused on functional aspectsExternal/3rd Party developmentLimited/no code change monitoring
    • Custom Development: Business Risks Business RisksDue to Security DefectsCyberattacksData theft/FraudIndustrial espionageLoss of imageSystem failures
    • ABAP Static Code Scanning Security and compliance ofSAP® applications Performance System stability Quality standards of internal and externalsoftware developmentBenefits of Static Code Scanning Business risks Maintenance efforts Test and correction efforts Operating costsIncrease Decrease
    • About BIZEC
    • Meet Markus at the Virtual Forge Booth 2227BFollow @virtual_forge and ask about #safercode
    • THANK YOU FOR PARTICIPATINGPlease provide feedback on this session bycompleting a short survey via the event mobileapplication.SESSION CODE: 0610For ongoing education on this area of focus,visit www.ASUG.comMeet Markus at the Virtual Forge Booth 2227B